At the end of last year, Citrix announced that a vulnerability had been found in Citrix Application Delivery Controller (ADC) and Citrix Gateway. The critical remote code execution vulnerability is yet to be patched, leaving users with the fear that an attacker might exploit the flaw to spread a ransomware attack.
Potentially thousands of businesses globally could now be at risk from the vulnerability, and businesses with apps published using these technologies may be exposing their internal networks.
The vulnerability, known as CVE-2019-19781, is allegedly very easy to exploit and could allow an unauthenticated remote attacker to execute arbitrary code on the system. Remote hackers could then exploit the vulnerability and gain access to private network resources without authentication.
Many security researchers have set up Citrix scanners and honeypots to monitor which servers are vulnerable to the flaw. After running tests, Researcher Troy Mursch allegedly found vast amounts of organisations including governments, universities, hospitals and financial institutions to be affected by the Citrix vulnerability.
Citrix has not released a fix for the issue but has published mitigation steps that can help to guard businesses against potential attacks. Citrix is planning to have firmware update in the form of refresh builds available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020.
Very little information is available about the vulnerability so far, but the mitigation steps block certain SSL VPN requests, which suggests that this is related to the flaw itself.
Various systems worldwide could still open to the flaw until the full fix is released. The InfoSecurity community have reported that there are at least two Proof-of-Concept (PoC) exploits for the vulnerability available on GitHub, meaning that exploit attempts could skyrocket.
The PoC code was released by ‘Project Zero India’ and consists of two commands – one which can write a template that would include a user’s shell command, and another that can request to download the result of the command execution.
Citrix users are advised to apply the mitigation steps immediately and wait for the full fix in a few weeks time.
Have you been affected by the Citrix vulnerability? Let us know if you had to apply the mitigation steps by tweeting us @hyve!